PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-03.exe SHA256: b756a02776b6b33394b255ba99f4cc0379cccbe080f36fd80034a5a6e2ffaa3e

VirusTotal:

  • Detection Rate: 27/55
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-04-30 12:26:40
  • View report here

Unpacking

  1. Run the program using ollydbg.
  2. break after pushad
pushad
Figure 1. PUSHAD

3. set breakpoint (hardware on access) on esp

breakpoint
Figure 2. Hardware breakpoint

4. Run the program, the program will break at POPAD

pop
Figure 3. POPAD

5. Step till return and you will see the following unpacked code in raw form

unpacked_1
Figure 4. unpacked code

6. Ctrl-A to reanalyze the code

analyzed
Figure 5. Reanalyzed code

7. Dump the process

dump
Figure 6. Dump
Advertisements
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s